Skip to content

Commit ad5a0e1

Browse files
dumoldumol
authored
[#5727] OpenSSL August 2021 patches. (#152)
* Back to downloading with Start-BitsTransfer on Windows. * Updated OpenSSL 1.1.1 sources to version 1.1.1l. * Build OpenSSL 1.1.1l instead of 1.1.1k where needed. * Patched OpenSSL 1.0.2 sources for CVE-2021-3712. * Updated cffi sources to version 1.14.6. * Use latest cffi version. * Updated version for our patched OpenSSL 1.0.2v sources. * Updated external deps docs. * Use the paxctl package on Alpine 3.14. * Use published CentOS 5.11 chevah setup.
1 parent 039620e commit ad5a0e1

File tree

5,573 files changed

+2505
-814
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

5,573 files changed

+2505
-814
lines changed

.github/workflows/bare.yaml

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -176,9 +176,7 @@ jobs:
176176
run: |
177177
chocolatey install --yes --no-progress make nasm 7zip curl
178178
# There's no vcpython27 choco pkg since Microsoft removed the installer.
179-
#Start-BitsTransfer https://bin.chevah.com:20443/third-party-stuff/VCForPython27.msi
180-
# Pending upstream fix for SFTPPlus, we use the real curl for now.
181-
curl.exe -O https://bin.chevah.com:20443/third-party-stuff/VCForPython27.msi
179+
Start-BitsTransfer https://bin.chevah.com:20443/third-party-stuff/VCForPython27.msi
182180
msiexec /quiet /i VCForPython27.msi
183181
184182
- name: Clone sources independently

.github/workflows/docker.yaml

Lines changed: 4 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,9 @@ jobs:
3030
strategy:
3131
fail-fast: false
3232
matrix:
33-
container: [ 'alpine:3.14', 'centos:8.2.2004', 'centos:5.11' ]
33+
# CentOS 5.11 setup was saved as an image pushed to Docker Hub. See the
34+
# Overview section at https://hub.docker.com/r/proatria/centos for details.
35+
container: [ 'alpine:3.14', 'centos:8.2.2004', 'proatria/centos:5.11-chevah1' ]
3436
timeout-minutes: 30
3537
steps:
3638

@@ -39,9 +41,7 @@ jobs:
3941
if: startsWith(matrix.container, 'alpine')
4042
run: |
4143
apk upgrade -U
42-
apk add git curl bash gcc make m4 automake libtool patch zlib-dev libffi-dev ncurses-dev linux-headers musl-dev openssl-dev lddtree shadow sudo openssh-client
43-
curl -o /usr/local/bin/paxctl https://bin.chevah.com:20443/third-party-stuff/alpine/paxctl-3.12
44-
chmod +x /usr/local/bin/paxctl
44+
apk add git curl bash gcc make m4 automake libtool patch zlib-dev libffi-dev ncurses-dev linux-headers musl-dev openssl-dev lddtree shadow sudo openssh-client paxctl
4545
4646
# Stick to CentOS 8.2 as OpenSSL got updated in 8.3 from 1.1.1c to 1.1.1g.
4747
- name: CentOS 8.2 setup
@@ -52,23 +52,6 @@ jobs:
5252
yum -y upgrade
5353
yum -y install git curl gcc make m4 automake libtool patch openssl-devel zlib-devel libffi-devel ncurses-devel sudo which openssh-clients
5454
55-
# Final CentOS 5 version is used to build the generic Linux package.
56-
- name: CentOS 5.11 setup
57-
if: matrix.container == 'centos:5.11'
58-
run: |
59-
sed -i s/^mirrorlist=/#mirrorlist=/ /etc/yum.repos.d/*.repo
60-
sed -i s@^#baseurl=http://mirror.centos.org/centos/\$releasever/@baseurl=http://vault.centos.org/5.11/@ /etc/yum.repos.d/*.repo
61-
yum -y upgrade
62-
# Use https://bin.chevah.com:20443/third-party-stuff/centos5/tuxad/
63-
# when tuxad.de dissapears, it has the minimum required stuff.
64-
rpm -i http://www.tuxad.de/rpms/tuxad-release-5-1.noarch.rpm
65-
yum -y install wget curl gcc44 make m4 automake libtool patch sudo which openssh-clients
66-
ln -s /usr/bin/gcc44 /usr/local/bin/gcc
67-
wget --mirror --no-parent https://bin.chevah.com:20443/third-party-stuff/centos5/endpoint/
68-
cd bin.chevah.com\:20443/third-party-stuff/centos5/endpoint/
69-
rpm -i local-perl-*.rpm
70-
rpm -i --nodeps git{-core,}-2.5.0-1.ep.x86_64.rpm
71-
7255
# On a Docker container, everything runs as root by default.
7356
- name: Chevah user setup
7457
run: |

chevah_build

Lines changed: 4 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -4,9 +4,7 @@
44
#
55
# build
66
# test
7-
# publish_production
8-
# publish_staging
9-
#
7+
# compat (for the compat repo tests)
108

119
PYTHON_BUILD_VERSION="2.7.18"
1210
LIBFFI_VERSION="3.2.1"
@@ -15,12 +13,12 @@ BZIP2_VERSION="1.0.8"
1513
# We statically build the BSD libedit on selected platforms to get the
1614
# readline module available without linking to the GPL-only readline libs.
1715
LIBEDIT_VERSION="20170329-3.1"
18-
OPENSSL_VERSION="1.1.1k"
16+
OPENSSL_VERSION="1.1.1l"
1917
SQLITE_VERSION="3.36.0"
2018

2119
# Python modules versions to be used everywhere possible.
2220
PYSQLITE_VERSION="2.8.3"
23-
CFFI_VERSION="1.14.5"
21+
CFFI_VERSION="1.14.6"
2422
# 19.1.0 is used with OpenSSL 1.0.2 libs.
2523
PYOPENSSL_VERSION="20.0.1"
2624
SCANDIR_VERSION="1.10.0"
@@ -196,7 +194,7 @@ case $OS in
196194
# As of January 2021, OpenSSL 1.0.2u is the latest version from IBM.
197195
export BUILD_OPENSSL="yes"
198196
# 1.1.1 tests fail on AIX, use 1.0.2 with patches from Ubuntu 16.04 LTS.
199-
OPENSSL_VERSION="1.0.2v-chevah2"
197+
OPENSSL_VERSION="1.0.2v-chevah3"
200198
# Perl's Test::Simple and its deps are required for building OpenSSL.
201199
execute perl -MTest::Simple -e 1
202200
# cryptography 3.2.x, last version to support OpenSSL 1.0.2.

external_deps.csv

Lines changed: 16 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -2,21 +2,21 @@ OS,AIX,,,Amazon,Alpine,,Debian,FreeBSD,,HP-UX,macOS,OS X,RHEL,,,,SLES,,Solaris,,
22
OS Version,5.3³,6.1³,7.1¹,,3.12³,3.14¹,5.0+³,11.4³,12.2²,11.31²,10.13+¹,10.8³,5.11¹,6.x¹,7.x¹,8.x¹,11SP4¹,12SP3¹,10u8+³,11.0/11.1³,11.2²,11.4²,14.04²,16.04¹,18.04¹,20.04¹,"XP, 2003, 2008²","2012r2, 2016, 2019¹"
33
"OpenSSL /
44
LibreSSL⁶","1.0.2v-chevah2 (statically linked with stdlib “ssl”)
5-
1.0.2v-chevah2 (statically linked with cryptography)",1.0.2k (from AIX Web Download Pack Programs),"1.0.2v-chevah2 (statically linked with stdlib “ssl”)
6-
1.0.2v-chevah2 (statically linked with cryptography)","1.1.1k (statically linked with stdlib “ssl”)
7-
1.1.1k (statically linked with cryptography)",1.1.1j,1.1.1k,"1.1.1k (statically linked with stdlib “ssl”)
8-
1.1.1k (statically linked with cryptography)",1.0.1u,1.0.2s,1.0.2h,"1.1.1k (statically linked with stdlib “ssl”)
9-
1.1.1k (statically linked with cryptography)","1.1.1g (statically built for stdlib “ssl”)
10-
1.1.1g (bundled with upstream cryptography 2.9.1)","1.1.1k (statically linked with stdlib “ssl”)
11-
1.1.1k (statically linked with cryptography)","1.1.1k (statically linked with stdlib “ssl”)
12-
1.1.1k (statically linked with cryptography)","1.1.1k (statically linked with stdlib “ssl”)
13-
1.1.1k (statically linked with cryptography)",1.1.1c FIPS,"1.1.1k (statically linked with stdlib “ssl”)
14-
1.1.1k (statically linked with cryptography)","1.1.1k (statically linked with stdlib “ssl”)
15-
1.1.1k (statically linked with cryptography)",1.0.2n (from upstream Oracle patches),1.0.0x,1.0.1h,1.0.2o,"1.1.1k (statically linked with stdlib “ssl”)
16-
1.1.1k (statically linked with cryptography)","1.1.1k (statically linked with stdlib “ssl”)
17-
1.1.1k (statically linked with cryptography)",1.1.0g,1.1.1f,"1.0.2t (bundled with upstream Python 2.7.18)
5+
1.0.2v-chevah2 (statically linked with cryptography)",1.0.2k (from AIX Web Download Pack Programs),"1.0.2v-chevah3 (statically linked with stdlib “ssl”)
6+
1.0.2v-chevah3 (statically linked with cryptography)","1.1.1l (statically linked with stdlib “ssl”)
7+
1.1.1l (statically linked with cryptography)",1.1.1j,1.1.1l,"1.1.1l (statically linked with stdlib “ssl”)
8+
1.1.1l (statically linked with cryptography)",1.0.1u,1.0.2s,1.0.2h,"1.1.1l (statically linked with stdlib “ssl”)
9+
1.1.1l (statically linked with cryptography)","1.1.1g (statically built for stdlib “ssl”)
10+
1.1.1g (bundled with upstream cryptography 2.9.1)","1.1.1l (statically linked with stdlib “ssl”)
11+
1.1.1l (statically linked with cryptography)","1.1.1l (statically linked with stdlib “ssl”)
12+
1.1.1l (statically linked with cryptography)","1.1.1l (statically linked with stdlib “ssl”)
13+
1.1.1l (statically linked with cryptography)",1.1.1c FIPS,"1.1.1l (statically linked with stdlib “ssl”)
14+
1.1.1l (statically linked with cryptography)","1.1.1l (statically linked with stdlib “ssl”)
15+
1.1.1l (statically linked with cryptography)",1.0.2n (from upstream Oracle patches),1.0.0x,1.0.1h,1.0.2o,"1.1.1l (statically linked with stdlib “ssl”)
16+
1.1.1l (statically linked with cryptography)","1.1.1l (statically linked with stdlib “ssl”)
17+
1.1.1l (statically linked with cryptography)",1.1.0g,1.1.1f,"1.0.2t (bundled with upstream Python 2.7.18)
1818
1.1.1g (bundled with upstream cryptography 2.9.1)","1.0.2t¹⁰ (bundled with upstream Python 2.7.18)
19-
1.1.1k (built from upstream sources)"
19+
1.1.1l (built from upstream sources)"
2020
Python,2.7.18+patches,2.7.18¹¹,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18¹¹,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18¹¹,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.8⁴,2.7.18¹¹,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18¹¹,2.7.18¹³
2121
SQLite,3.34.1,3.34.1,3.36.0,3.36.0,3.34.1,3.36.0,3.36.0,3.30.1,3.34.1,3.34.1,3.36.0,3.30.1,3.36.0,3.36.0,3.36.0,3.36.0,3.36.0,3.36.0,3.34.1,3.30.1,3.34.1,3.34.1,3.36.0,3.36.0,3.36.0,3.36.0,3.30.1 (we overwrite version from upstream Python at build time),3.36.0 (we overwrite version from upstream Python at build time)
2222
Expat,2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.1.0⁵ (bundled with Python 2.7.8),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python)
@@ -27,13 +27,13 @@ libedit,n/a,n/a,n/a,n/a,20170329-3.1,20170329-3.1,n/a,20170329-3.1,20170329-3.1,
2727
pysqlite,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,"n/a, upstream sqlite3 is used","n/a, upstream sqlite3 is used"
2828
pip,20.3.4,9.0.3,20.3.4,20.3.4,9.0.3,20.3.4,20.3.4,9.0.3,20.3.4,20.3.4,20.3.4,9.0.3,20.3.4,20.3.4,20.3.4,20.3.4,20.3.4,20.3.4,20.3.4,9.0.3,20.3.4,20.3.4,20.3.4,20.3.4,20.3.4,20.3.4,20.3.4,20.3.4
2929
setuptools,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,41.6.0,41.6.0,41.6.0,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1,44.1.1
30-
wheel,0.36.2,0.33.6,0.36.2,0.36.2,0.33.6,0.36.2,0.36.2,0.33.6,0.36.2,0.36.2,0.36.2,0.33.6,0.36.2,0.36.2,0.36.2,0.36.2,0.36.2,0.36.2,0.36.2,0.33.6,0.36.2,0.36.2,0.36.2,0.36.2,0.36.2,0.36.2,0.36.2,0.36.2
30+
wheel,0.36.2,0.33.6,0.37.0,0.37.0,0.33.6,0.37.0,0.37.0,0.33.6,0.37.0,0.36.2,0.37.0,0.33.6,0.37.0,0.37.0,0.37.0,0.37.0,0.37.0,0.37.0,0.36.2,0.33.6,0.36.2,0.37.0,0.37.0,0.37.0,0.37.0,0.37.0,0.36.2,0.37.0
3131
pycparser,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20,2.20
3232
setproctitle,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10
3333
cryptography,3.2.1¹²,2.9.2¹²,3.2.1¹²,3.3.2,3.3.2,3.3.2,3.3.2,2.9.2¹²,3.3.2,n/a,3.3.2,2.9.2¹² (wheel includes OpenSSL),3.3.2,3.3.2,3.3.2,3.3.2,3.3.2,3.3.2,n/a,n/a,n/a,3.2.1¹²,3.3.2,3.3.2,3.3.2,3.3.2,2.9.2¹² (wheel includes OpenSSL),3.3.2 (wheel includes OpenSSL)
3434
six,1.15.0,1.13.0,1.15.0,1.15.0,1.15.0,1.15.0,1.15.0,1.11.0,1.15.0,1.15.0,1.15.0,1.11.0,1.15.0,1.15.0,1.15.0,1.15.0,1.15.0,1.15.0,1.15.0,1.11.0,1.15.0,1.15.0,1.11.0,1.11.0,1.11.0,1.11.0,1.11.0,1.11.0
3535
ipaddress,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,n/a,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,n/a,n/a,n/a,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23
36-
cffi,1.14.5,1.14.0,1.14.5,1.14.5,1.14.0,1.14.5,1.14.5,1.14.0,1.14.5,n/a,1.14.5,1.14.0,1.14.5,1.14.5,1.14.5,1.14.5,1.14.5,1.14.5,n/a,1.14.0,1.14.5,1.14.5,1.14.5,1.14.5,1.14.5,1.14.5,1.14.0,1.14.5
36+
cffi,1.14.5,1.14.0,1.14.6,1.14.6,1.14.0,1.14.6,1.14.6,1.14.0,1.14.6,n/a,1.14.6,1.14.0,1.14.6,1.14.6,1.14.6,1.14.6,1.14.6,1.14.6,n/a,1.14.0,1.14.5,1.14.6,1.14.6,1.14.6,1.14.6,1.14.6,1.14.0,1.14.6
3737
asn1crypto,n/a,1.2.0,n/a,n/a,n/a,n/a,n/a,1.2.0,n/a,n/a,n/a,1.2.0,n/a,n/a,n/a,n/a,n/a,n/a,n/a,1.2.0,n/a,n/a,n/a,n/a,n/a,n/a,1.2.0,n/a
3838
enum34,1.1.10,1.1.6,1.1.10,1.1.10,1.1.6,1.1.10,1.1.10,1.1.6,1.1.10,n/a,1.1.10,1.1.6,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,,,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.6,1.1.10
3939
idna,n/a,2.6,n/a,n/a,n/a,n/a,n/a,2.6,n/a,n/a,n/a,2.6,n/a,n/a,n/a,n/a,n/a,n/a,n/a,2.6,n/a,n/a,n/a,n/a,n/a,n/a,2.6,n/a

0 commit comments

Comments
 (0)